Richard Bollinger
2018-Nov-13 14:21 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
Prior to 4.8, without winbind in the picture, a windows user named "rab", for instance, could be authenticated by AD, but would assume the identity of the Unix user "rab", with all of his Unix defined groups. Of course, this is not full emulation of a Windows server experience, but nonetheless it is the behavior we wanted and worked well in our environment where every AD user who needed access to a Unix server had a corresponding Unix ID assigned with that user's uid, gids, identical on all the Unix servers. That is the "legacy" behavior we desire. Is it still possible to achieve it with the current version of Samba? Thanks for your help. On Tue, Nov 13, 2018 at 4:36 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 12 Nov 2018 19:05:59 -0500 > Richard Bollinger via samba <samba at lists.samba.org> wrote: > > > We recently upgraded a test server to samba-4.8.3.... but wonder how > > to reproduce the legacy behavior with winbind now forced into the > > picture for better or worse. > > > > We specifically do not want any of the whiz-bang capabilities of > > winbind, just the old familiar mapping of windows usernames to unix > > usernames. > > I have replied to you over on on the Samba technical mailing list, but > what do you mean by 'the old familiar mapping of windows usernames to > unix usernames', what about UID's & GID's ? > > > > > It seems not sufficient to omit winbind settings in smb.conf; i.e., > > the defaults force the "new and improved" behavior. > > No, it forces the correct Samba behaviour. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Nov-13 14:37 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
On Tue, 13 Nov 2018 09:21:14 -0500 Richard Bollinger <rabollinger at gmail.com> wrote:> Prior to 4.8, without winbind in the picture, a windows user named > "rab", for instance, could be authenticated by AD, but would assume > the identity of the Unix user "rab", with all of his Unix defined > groups. > > Of course, this is not full emulation of a Windows server experience, > but nonetheless it is the behavior we wanted and worked well in our > environment where every AD user who needed access to a Unix server > had a corresponding Unix ID assigned with that user's uid, gids, > identical on all the Unix servers. > > That is the "legacy" behavior we desire. Is it still possible to > achieve it with the current version of Samba? >No and why would you want to ? Doing it your way means that you have to maintain the users & groups in two places, a total anathema to AD. Just set up the Unix domain member correctly and your Windows users & groups become Unix users & groups, all of them if you use the winbind 'rid' backend, or, if you use the 'ad' backend, just the ones you give a uidNumber or gidNumber attribute. If you don't want to do this (and I fail to see why you wouldn't want to), then leave the domain, and set the Samba server up as a standalone server. Rowland
Christian Naumer
2018-Nov-13 14:48 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
I don't know if this still works but it does what you want: https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html Regards Am 13.11.18 um 15:37 schrieb Rowland Penny via samba:> On Tue, 13 Nov 2018 09:21:14 -0500 > Richard Bollinger <rabollinger at gmail.com> wrote: > >> Prior to 4.8, without winbind in the picture, a windows user named >> "rab", for instance, could be authenticated by AD, but would assume >> the identity of the Unix user "rab", with all of his Unix defined >> groups. >> >> Of course, this is not full emulation of a Windows server experience, >> but nonetheless it is the behavior we wanted and worked well in our >> environment where every AD user who needed access to a Unix server >> had a corresponding Unix ID assigned with that user's uid, gids, >> identical on all the Unix servers. >> >> That is the "legacy" behavior we desire. Is it still possible to >> achieve it with the current version of Samba? >> > > No and why would you want to ? > Doing it your way means that you have to maintain the users & groups in > two places, a total anathema to AD. > > Just set up the Unix domain member correctly and your Windows users & > groups become Unix users & groups, all of them if you use the winbind > 'rid' backend, or, if you use the 'ad' backend, just the ones you give > a uidNumber or gidNumber attribute. > > If you don't want to do this (and I fail to see why you wouldn't want > to), then leave the domain, and set the Samba server up as a standalone > server. > > Rowland >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
Possibly Parallel Threads
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Kcc connection
- Upgrade from 4.9.8 to 4.10.3 on Centos using Sernet Packages